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Abstract 

Song [8] proposed very recently a password-based authentication 
and key establishment protocol using smart cards which attempts to 
solve some weaknesses found in a previous scheme suggested by Xu, 
Zhu, and Feng [5]. In this paper, we present attacks on the improved 
protocol, showing that it fails to achieve the claimed security goals. 

1 Introduction 

Remote user authentication is a central problem in network security. In 
a seminal paper, Lamport [5] proposed in 1981 a password-based scheme 
using hash chains. This scheme was later refined and used in a number of 
applications, notably Haller's famous S/KEY one-time password system [2]. 
Similar protocols based on smart cards gained some popularity shortly after 
that. In such schemes, the user is provided with a card and a password 
as identification tokens. When the user wishes to connect to the server, 
she provides the card with her password, which is used to construct a login 
message that is sent to the server to be validated. More sophisticate schemes 
force the server to be authenticated too, and also provide both parties with 
a shared secret (a session key) after the completion of the protocol. 

The common adversary model to analyze the security of authentication 
protocols based on smart cards assumes an attacker with full control over the 
communication channel between the user and the server. Consequently, all 
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Figure 1: Notation used in Song's protocol. 



the messages exchanged can be intercepted, deleted, modified, or fabricated 
by the attacker. Additionally, protocols must assume that the attacker can 
temporarily get access to the user's smart card and the information stored in 
it, either directly (e.g. stealing the card or deceiving the user so she inserts 
the card in a malicious reader) or indirectly by observing emanations or 
other side channels [H [7] . 

Very recently. Song [8j showed various attacks against one of such pro- 
tocols suggested by Xu, Zhu, and Feng [9]. The paper also presents an 
improved version, loosely based on the original scheme, which attempts to 
amend the identified vulnerabilities. In particular. Song claims that [8]: 
"The interactive authentication messages must not reduce the entropy of the 
password", and also: "The adversary must not be able to attack and gain 
access to the system by extracting the data stored on the smart card". In this 
paper, we present practical attacks showing that the protocol suggested by 
Song fails to achieve these goals. 

2 Review of Song's scheme 

We first give a brief description of Song's scheme as presented in [8]. The 
notation used in the protocol is summarized in Fig. [TJ 

Initially, the server selects two large prime numbers p and q such that 
p = 2q + 1, and a secret key x Z*. Both p and x are kept secret. The 
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Figure 2: Song's protocol. 

protocol consists of four main phases (see Fig. [2]). 

2.1 Registration phase 

The user A sends to 5 her identity IDa and password PWa through a secure 
channel. The server then computes Ba = h[ID^ mod p) © /i(PWa), stores 
both IDa and Ba in a smart card and sends it to A. 

2.2 Login phase 

User A attachs her smart card to a reader and enters her identity and pass- 
word. The card chooses a random number Ra-, obtains the current times- 
tamp Ta, and computes: 

Ka = Ba® KPWa) 

Wa = Eka{Ra®Ta) 
Ca = HTa \\ Ra \\ Wa \\ IDa) 
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It then sends the login message {I Da, Ca, Wa, Ta} to the server. 

2.3 Authentication phase 

2.3.1 User Authentication 

Upon receiving the login request at time T*, S first checks ^'s identity and 
then validates the timestamp by checking that (T* — Ta) < AT. The server 
computes a local version of the session key as Ka = h{ID''^ mod p) and then 
recovers the nonce by doing Ra = DxAi^A) © Ta)- It then computes a 
local version of Ca and checks whether it coincides with the received value. 
If the verification goes through successfully, the user is authenticated and 
S sends her the message {IDa, Cs,Ts}, where Ts is the server's timestamp 
and Cs = h{I Da || Ra \\ Ts). 

2.3.2 Server authentication 

Upon receviving the server's last message, A validates the identity and the 
timestamp, and verifies that the received Cs coincides with a local version 
computed by her using the original nonce. If that is the case, then S is 
authenticated. 

2.3.3 Session key establishment 

Once both A and S are mutually authenticated, they compute a shared 
secret session key sk = h{IDA \\ Ts \\ Ta \\ Ra), which is used to encrypt 
future communications. 

2.4 Password change 

Whenever the user wants to change her password, she first goes through 
the authentication protocol. Upon receving the successful authentication 
confirmation from the server, A introduces her new password PW^"^ and 
the smart card updates the value of Ba by doin£] B')^'" = Ba® h{PWA) © 
h{PWl^'"). 

^We note that the actual formulation of the update process described in [51 is B^™ = 
Ba e PWa PW^"™, which is clearly erroneous. 
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3 Cryptanalysis 



3.1 Off-line password guessing attack 

In [8] it is claimed that "the adversary must not be able to attack and gain 
access to the system by extracting the data stored on the smart card. " How- 
ever, an adversary who obtains the value = h{ID^ mod p) © H^PWa) 
can easily mount an off-line password guessing attack by simply observing 
one correct authentication session and getting access to the values Wa and 
Ca- 

The attack works as follows. For each candidate password PW^, the 
attacker computes the tentative encryption key K*^ = Ba ® h{PW'^. Such 
a key is then used to recover the candidate nonce value R\ by first decrypt- 
ing Wa with Kj^ and then XORing the result with Ta (both of which are 
public); that is, R\ = Dk\{Wa)®Ta- Note that, if the attempted password 
PW^ is correct (i.e., PW\ = PWa), then so it is the obtained encryption 
key K\ and, consequently, the nonce R\. Now, Ca can be used to check 
if that is the case: The attacker computes C\ = h{TA || Ra II Wa \\ IDa) 
and, if it coincides with Ca, she can conclude that R\ is correct and so the 
candidate password tried. (In this reasoning we assume that h has no colli- 
sions. Nevertheless, even if h is not ideal, additional eavesdropped sessions 
can be used to rule out false positives and identify the correct password). 

In short, contrarily to what is claimed in [8], the messages exchanged 
during the protocol do indeed reduce the entropy of the password, at least 
for an attacker with access to the values stored in the card. Furthermore, 
once the password is guessed, the scheme offers no protection against other 
attacks, from simply clonning the card and impersonating the user, to re- 
covering every session key established using the password. We elaborate on 
this in what follows. 

3.2 Poor reparability 

One particularly weak feature of Song's scheme is that the same key, namely 
Ka = h{ID^ mod p), is always used to encrypt {Ra © Ta) during the login 
phase, regardless of the protocol session and during the entire life of the 
smart card. In general terms, this is not a recommendable practice, as it 
makes difficult to restore the security offered by the protocol when the user 
suspects that the password has been compromised. 

To further clarify this, suppose that an attacker has successfully guessed 
the password as described above. With the information learnt she can now 
obtain the card's long-term secret h[ID^ mod p), which could be used to 
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fabricate a clonned card, perhaps with a different password. Even if the 
legitimate user suspects that the password may have been guessed, changing 
it does not aheviate the situation, as the same key wih still be used regardless 
of the new password chosen! Therefore, the attacker can still impersonate 
the user as well as get access to future sessions keys. 

The only mechanism available to the user to recover from the fact that a 
password has been compromised is registering again with the server using a 
different identity and cancelling the current one, which is clearly unaccept- 
able. 

3.3 Lack of perfect forward secrecy 

A trivial consequence of using the same encryption key across sessions is that 
the scheme does not offer perfect forward secrecjU. Once Ka is obtained 
(e.g., by guessing the password once), all previously established sessions keys 
can be easily computed, irrespective of the password used in past. 

3.4 Exploitation of incremental hash functions 

During the last part of the protocol, the server sends to the user the value 
Cs = h{IDA II R'a II Ts), along with IDa and T5. This construction may 
be extremely dangerous if h is an incremental hash function (e.g., Merkle- 
Damgard [6j) without a convenient finalization stage. (We note that the 
majority of current standarized cryptographic hash algorithms fall in this 
category.) If such is the case, an attacker can intercept the message and, 
using Cs and Ts, go backwards through the hash algorithm and recover the 
internal state exactly at the point where the input {IDa \\ R'a) has just being 
processed. Now, the attacker can choose a slightly different timestamp, say 
such that it will still be acceptable for the user (for example, T^** = 
Ts ± e, with e a small quantity). Using the previously recovered internal 
state, the attacker can compute a new value C|** = h{IDA \\ R'a II 2^s**)) 
which will be forwarded to the user along with T^**. Note that the user 
cannot detect the forgery as long as the timestamp is valid, so C^** will 
be accepted as a proof of having obtained the previously sent nonce Ra- 
However, both user and server will compute different values for the session 
key (as it depends on Ts) and they will not be able to further communicate 
securely even though the protocol has finished correctly. 

key establishment protocol is said to offer perfect forward secrecy if the disclosure 
of one secret does not compromise previously established sessions [HE] 
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4 Conclusions 



We have presented an off-line password guessing attack on Song's protocol, 
and shown that it also has some other weaknesses despite its designer's 
claims. Unfortunately, being insecure seems to be the common denominator 

of the vast majority of the schemes proposed to date. As in the case of some 
other related areas, more detailed security analyses need to be performed. 
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